| Message ID | NCFQ9xf--3-2@tutanota.com |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4612F27BBEA; Sun, 18 Sep 2022 15:56:10 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 11BD627BBE9 for <patchwork@mira.cbaines.net>; Sun, 18 Sep 2022 15:56:10 +0100 (BST) Received: from localhost ([::1]:59792 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>) id 1oZviL-00058h-7s for patchwork@mira.cbaines.net; Sun, 18 Sep 2022 10:56:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45274) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1oZviE-00058S-L8 for guix-patches@gnu.org; Sun, 18 Sep 2022 10:56:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51893) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1oZviE-00056w-CI for guix-patches@gnu.org; Sun, 18 Sep 2022 10:56:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1oZviE-0000Qm-7P for guix-patches@gnu.org; Sun, 18 Sep 2022 10:56:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#57909] Add link to 'pre-inst-env' from 'installing from git' docs Resent-From: Emma Turner <em.turner@tutanota.com> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 18 Sep 2022 14:56:02 +0000 Resent-Message-ID: <handler.57909.B.16635129111577@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 57909 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 57909@debbugs.gnu.org X-Debbugs-Original-To: Guix Patches <guix-patches@gnu.org> Received: via spool by submit@debbugs.gnu.org id=B.16635129111577 (code B ref -1); Sun, 18 Sep 2022 14:56:02 +0000 Received: (at submit) by debbugs.gnu.org; 18 Sep 2022 14:55:11 +0000 Received: from localhost ([127.0.0.1]:50963 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1oZvhM-0000PC-8z for submit@debbugs.gnu.org; Sun, 18 Sep 2022 10:55:11 -0400 Received: from lists.gnu.org ([209.51.188.17]:57548) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <em.turner@tutanota.com>) id 1oZsls-0006vw-Fx for submit@debbugs.gnu.org; Sun, 18 Sep 2022 07:47:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44324) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <em.turner@tutanota.com>) id 1oZsls-0002DQ-8E for guix-patches@gnu.org; Sun, 18 Sep 2022 07:47:36 -0400 Received: from w4.tutanota.de ([81.3.6.165]:58120) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <em.turner@tutanota.com>) id 1oZslm-0000PH-4i for guix-patches@gnu.org; Sun, 18 Sep 2022 07:47:34 -0400 Received: from w3.tutanota.de (unknown [192.168.1.164]) by w4.tutanota.de (Postfix) with ESMTP id EA233106014E for <guix-patches@gnu.org>; Sun, 18 Sep 2022 11:47:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663501643; s=s1; d=tutanota.com; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Cc:Date:Date:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:Sender; bh=RQbGtF1VvpoEQgSLl/faBBN2DijFO+3yQSJp30RFYAg=; b=ZBKRN9j8SOb2lawd1XV+aYxqWTpiey3cyOc0frrMbLpp/q832Izec9saMKiCjo/w 6B09zQM2835D1noNZlEhnJB/UvUqikHoOTFkmQ9W3CC+OGKHlT8BKB/5hBp3B0Ep+hu 0BkJsYO68iTbWYI/x7WV+ywsQAVXPsLd7VyVS+crJ8MMI+Xp7u0gUt5tD8Gtkx1/GTy UUPRDxWlNKApPDUFOJ63MUWoK0kT1OBKkaV1to5wZdGFUAS1WgeiGCVMQY4IKtLqXke rfM3qZp6ASrQwy/Usg6EoGrhs2b92Ti4WAdM5BVtmke4q3QnIzJc9PmvE7d3GDmUNOR 1HeG/1wUxg== Date: Sun, 18 Sep 2022 13:47:23 +0200 (CEST) Message-ID: <NCFQ9xf--3-2@tutanota.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_103018_1406383574.1663501643945" Received-SPF: pass client-ip=81.3.6.165; envelope-from=em.turner@tutanota.com; helo=w4.tutanota.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 18 Sep 2022 10:55:08 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Reply-to: Emma Turner <em.turner@tutanota.com> X-ACL-Warn: , Emma Turner via Guix-patches <guix-patches@gnu.org> From: Emma Turner via Guix-patches via <guix-patches@gnu.org> X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#57909] Add link to 'pre-inst-env' from 'installing from git' docs
|
|
Commit Message
Emma Turner
Sept. 18, 2022, 11:47 a.m. UTC
Comments
This is a duplicate of https://issues.guix.gnu.org/57910
merge 57909 57910 thanks The given example "make authenticate" is insecure, it has a TOCTTOU problem as indicated at <https://issues.guix.gnu.org/22883#59>: > Moreover, I don't think running 'make authenticate' after 'git pull' > would really work -- after you pulled, git-authenticate could've been > modified, so the verify-commit you did earlier doesn't apply anymore. The solution that was proposed > We can solve it by removing ./pre-inst-env from the command in ‘make > authenticate’. would be undone by the proposed patch. Even then, it remains insecure, as an attacker could have modified the "make authenticate", as explained in more detail at <https://logs.guix.gnu.org/guix/2022-09-14.log#172610>. As such, I think we really shouldn't recommend "make authenticate" (and even remove "make authenticate". In fact, I think we should remove "make authenticate" and replace the instructions with a direct "guix git authenticate ...". As such, I propose that: * you adjust the patch to note that authenticating the checkout is impossible if you don't already have Guix installed (instead of recommending the insecure "make authenticate") * I write a patch removing "make authenticate" and adjusting old uses of "make authenticate" to "guix git authenticate ...". Greetings, Maxime.
reopen 57909 thanks Looks like the closing was accidental, reopening. See <https://debbugs.gnu.org/server-control.html> if you're interested in how to use these debbugs commands (anyone can send those, somehow the wide permissions don't cause problems). Greetings, Maxime.
Hi, Maxime Devos <maximedevos@telenet.be> skribis: > As such, I think we really shouldn't recommend "make authenticate" > (and even remove "make authenticate". In fact, I think we should > remove "make authenticate" and replace the instructions with a direct > "guix git authenticate ...". “make authenticate” runs ‘guix git authenticate’ with the right parameters; importantly, it runs the already-installed ‘guix’, not the one in the build tree, so it’s safe (prepending “./pre-inst-env” wouldn’t be safe as you wrote). So I’m not sure we really need changes; WDYT? Ludo’.
On 24-09-2022 17:58, Ludovic Courtès wrote: > Hi, > > Maxime Devos<maximedevos@telenet.be> skribis: > >> As such, I think we really shouldn't recommend "make authenticate" >> (and even remove "make authenticate". In fact, I think we should >> remove "make authenticate" and replace the instructions with a direct >> "guix git authenticate ...". > “make authenticate” runs ‘guix git authenticate’ with the right > parameters; importantly, it runs the already-installed ‘guix’, not the > one in the build tree, so it’s safe (prepending “./pre-inst-env” > wouldn’t be safe as you wrote). > > So I’m not sure we really need changes; WDYT? While ordinarily, it is true that "make authenticate" runs "guix git authenticate" (and not ./pre-inst-env guix git authenticate), an attacker could have modified Makefile.am to _not_ call "guix git authenticate", as I've explained in the paragraph above the one you quoted: > The solution that was proposed [...]. __Even then, it remains > insecure, as an attacker could have modified the "make authenticate", > as explained in more detail at > <https://logs.guix.gnu.org/guix/2022-09-14.log#172610>. More concretely, I've worked out a method the hypothetical attacker could use the fact that "Makefile.am" is used before it is authenticated in the message pointed to by the link I quoted: https://logs.guix.gnu.org/guix/2022-09-14.log#172610 : <maximed>civodul: Currently, it's like verifying the authenticity of a gnupg tarball, by extracting the gnupg tarball, compiling it, and running the freshly compiled gnupg tarball. <antipode>Translated to Guix: <antipode>(1) You run "git pull" (2) an attacker has intercepted the network connection and modified Makefile.am's authenticate target to always 'succeed'. Additionally, the attacker inserts some malicious code somewhere (e.g. some code in Makefile.am to upload your GnuPG keys to evil.com). To add some stealth, the modified Makefile.am automatically reverts the malicious commit. (3) You run "make authenticate" as recommended by the manual, and now the attacker has your private keys. Do you see a flaw in this explanation? Greetings, Maxime.
Hi, Maxime Devos <maximedevos@telenet.be> skribis: > While ordinarily, it is true that "make authenticate" runs "guix git > authenticate" (and not ./pre-inst-env guix git authenticate), an > attacker could have modified Makefile.am to _not_ call "guix git > authenticate", as I've explained in the paragraph above the one you > quoted: Oh you’re right; sorry for overlooking this. So yes, that calls for recommending the full ‘guix git authenticate’ command for the initial checkout. Thanks, Ludo’.
From 4849857fcf13f8de572d030cd15defd1f2b84768 Mon Sep 17 00:00:00 2001 From: Emma Turner <em.turner@tutanota.com> Date: Sun, 18 Sep 2022 12:40:17 +0100 Subject: [PATCH] doc: link pre-inst-env from building from git docs --- doc/contributing.texi | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/contributing.texi b/doc/contributing.texi index 17a54f94cc..d4cd57141d 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -159,6 +159,14 @@ checkout by running: make authenticate @end example +If you get an error of @code{guix: command not found}, then you can refer +to the new instance you built above, by running the following +(see @pxref{Running Guix Before It Is Installed}): + +@example +./pre-inst-env make authenticate +@end example + The first run takes a couple of minutes, but subsequent runs are faster. Or, when your configuration for your local Git repository doesn't match -- 2.36.1